The communications industry is rapidly changing to adjust to emerging technologies and ever increasing customer demand. This customer demand for new applications and increased performance of existing applications is driving communications network and system providers to employ networks and systems having greater speed and capacity (e.g., greater bandwidth). In trying to achieve these goals, a common approach taken by many communications providers is to use packet switching technology. Increasingly, public and private communications networks are being built and expanded using various packet technologies, such as Internet Protocol (IP).
A network device, such as a switch or router, typically receives, processes, and forwards or discards a packet based on one or more criteria, including the type of protocol used by the packet, addresses of the packet (e.g., source, destination, group), and type or quality of service requested. Additionally, one or more security operations are typically performed on each packet. But before these operations can be performed, a packet classification operation must typically be performed on the packet.
Packet classification as required for, inter alia, access control lists (ACLs) and forwarding decisions, is a demanding part of switch and router design. The packet classification of a received packet is increasingly becoming more difficult due to ever increasing packet rates and number of packet classifications. For example, ACLs typically require matching packets on a subset of fields of the packet header or flow label, with the semantics of a sequential search through the ACL rules.
Access control and quality of service features are typically implemented based on programming contained in one or more ACLs. A network administrator controls access to a network using access control lists (ACLs). ACLs are very flexible and allow the network administrator to specify several conditions to be met and several actions to be taken. The syntax is such that it is most easily interpreted in a serial fashion. When an ACL entry matches a packet in a process of serially evaluating an ACL in a known system, one of the actions that may be required is to skip over a certain number of subsequent ACL entries before resuming the serial evaluation. When implemented by a software program, a serial interpretation is quite natural, however, the number of packets per second that can be processed is limited.
In high performance network switches, a ternary content addressable memory (TCAM) is commonly used to increase the number of packets per second that can be processed as it allows lookup operations to be performed in parallel on numerous entries corresponding to ACL actions. However, the performance advantage of a TCAM is only available if all entries are evaluated at once and a TCAM chip can only provide the address of the first matching entry.
So, to implement features in hardware in which more than one matching condition can be specified, these multiple ACL lists are typically combined into one list using a software merge transformation which can be used for programming and associative memory. Various techniques are known for combining these items, such as Binary Decision Diagram (BDD) and Order Dependent Merge (ODM). For example, if there are two ACLs A (having entries A1 and A2) and B (having entries B1 and B2, then ODM combines these original lists to produce one of two cross-product equivalent ordered lists, each with four entries: A1B1, A1B2, A2B1, and A2B2; or A1B1, A2B1, A1B2, and A2B2. These four entries can then be programmed into an associative memory and an indication of a corresponding action to be taken placed in an adjunct memory. Lookup operations can then be performed on the associative and adjunct memories to identify a corresponding action to use for a particular packet being processed. There are also variants of ODM and BDD which may filter out the entries which are unnecessary as their values will never allow them to be matched.
However, these software merge techniques can cause each ACL entry to consume multiple entries in the TCAM. If this memory usage expansion could be avoided, a smaller, less expensive TCAM could be used or, for the same size TCAM, larger ACLs could be supported.
Similar lookup operations are required for implementing security features, such as, but not limited to the security architecture for the Internet Protocol (IPsec) defined in. S. KENT and R. ATKINSON, “Security Architecture for IP,” RFC 2401, November 1998, which is hereby incorporated by reference. An IPsec (IP security) implementation operates in a host or a security gateway environment, affording protection to IP traffic. The protection offered is based on requirements defined by a Security Policy Database (SPD) established and maintained by a user or system administrator, or by an application operating within constraints established by either of the above. In general, packets are selected for one of three processing modes based on IP and transport layer header information matched against entries in the database. Each packet is either afforded IPsec security services, discarded, or allowed to bypass IPsec, based on the applicable database policies.
IPsec provides security services at the IP layer by enabling a system to select required security protocols, determine the algorithm(s) to use for the service(s), and put in place any cryptographic keys required to provide the requested services. IPsec can be used to protect one or more “paths” between a pair of hosts, between a pair of security gateways, or between a security gateway and a host. The set of security services that IPsec can provide includes access control, connectionless integrity, data origin authentication, rejection of replayed packets (a form of partial sequence integrity), confidentiality (encryption), and limited traffic flow confidentiality. Because these services are provided at the IP layer, they can be used by any higher layer protocol, e.g., TCP, UDP, ICMP, BGP, etc.
IPsec packet classification is specified as a two-layer hierarchy: the relevant security policy (SP) must be found first out of an ordered list of SPs, and then within the context of the located SP, the correct security association (SA) must be found. A security association is a simplex “connection” that affords security services to the traffic carried by it. To secure typical, bi-directional communication between two hosts or between two security gateways, two security associations (one in each direction) are required. A security association is uniquely identified by a triple consisting of a Security Parameter Index (SPI), an IP Destination Address, and a security protocol identifier. In principle, the destination address may be a unicast address, an IP broadcast address, or a multicast group address. The set of security services offered by an SA depends on the security protocol selected, the SA mode, the endpoints of the SA, and on the election of optional services within the protocol. For example, one security protocol provides data origin authentication and connectionless integrity for IP datagrams.
RFC 2401 defines a two-step process for performing lookup operations to in order to identify a SA associated with a packet, i.e., by first performing a lookup in a security policy database and then, performing a subsequent second lookup operation based on the identified security policy to identify the corresponding security association). Especially as packet rates and then number of packets to be processed by a packet processor increases, this two-stage lookup process can be limiting. Moreover, this security processing is just one operation to be performed on a packet, as additional access control list processing is also typically performed on a packet. Desired are new mechanisms for performing these lookup operations.